Member Login

User ID:    Password:  Lost Password | User ID Sample
ACCA/ICPAS Students, click here

Technical

The Hard and Soft of Deleting Data - Don't Let Data Come Back to Haunt You
Text / Robert H. Spencer, PhD


In its most recent study as of press time, the United States Environmental Protection Agency (EPA) reported that between 26 and 37 million computers came to the end of their life cycles in 2005, and that is just desktop and laptop computers. Add in peripherals, servers, and other computer storage devices (which the EPA tracks separately) and the number is much higher.

 

An article published by IBM in late 2006 relied on those higher numbers to report that the United States discards 250 million computers every year.

 

When improperly thrown out, computers endanger the environment. And another serious issue is that much of the sensitive data stored on the systems hard drives is unprotected. Even if users studiously delete files or even format the hard drives first, smart thieves can often recover sensitive files.


That is why you need to think about best practices for both the software and the hardware aspects of deleting sensitive files. We'll start with the software part of the equation: the data or file side.

 

The Data Side of Deleting Data

Most computer systems store sensitive information on local hard drives, and discarded computers are no exception. The data is in the form of easily recoverable files or file remnants. This is trash that could quickly become a treasure to someone else.

 

The Law May Not Be On Your Side

 

While you might think it would be illegal for someone else to read your information, reading someone else's data is not necessarily illegal. The IBM article notes that a 1998 U.S. Supreme Court ruling means that we waive most of our rights to privacy when we discard materials. In other words, if you leave "it" on the curb, or throw "it" away, "it" is fair game for anyone else to retrieve. So the burden to protect sensitive information remains with you and your clients.

 

So, how do you protect yourself? To understand the risk, it helps to review what happens when you delete a file, and why sometimes even the entire file may be brought back to life.

 

Why Hitting the Delete Key Is Not Enough

Many of you know some or most of these issues relating to file deletion, but let's take them in order.

  1. When you delete a file, the operating system "flags" the file as no longer needed and lets the file handler know that this space is now available to be used for new data. The old data that is still stored across the surface of the disk and not actually removed or written over until another program comes along and needs to store something, then the operating system looks for available space and releases to be used in small sections called blocks. Only when all the old blocks of data are written over will all the old data be gone! If you delete a file, the file is listed in the Trash Can (Mac) or Recycle Bin (Windows), but these files are not deleted and the space made available to be used until you actually elect to "empty" the icon.
  2. Emptying the Trash Can or Recycle Bin marks the file space as availablefor; remember, the data is not actually removed. Typically, what happens is that the operating system flags the directory file entry that the space is now available and will use that space as it is needed for new files. Deleting a file does not really erase the information; it merely erases pointers to the information.
  3. But even if the old file directory space is reused, the old data is still distributed over the hard drive in small pieces called blocks, until a new file overwrites all the blocks of data that make up the deleted file. Up to that point, the entire file or pieces of the file can be easily recovered. There are a number of free downloadable utilities, which can be used to recover some or all the data blocks of supposedly deleted files. There are also utilities that can be used to not only delete a file entry in the directory but to write over the data blocks themselves to make recover much more difficult.

 

Many of your clients do not realize that when they delete a file, they are only putting it into an electronic limbo. From that limbo, they can be retrieved by skilled computer criminals, curious minds, or perhaps computer forensic specialist.

 

Utilities to Undelete Files

 

A quick web search will provide you with a number of free utilities to undelete files. Utilities such as these are used to recover lost files, as well as to find out what people have been doing and to recover supposedly deleted files from discarded computers.

 

Figure 1 shows a screen from one such utility, in this case, FreeUndelete.


FreeUndelete1.0
Figure 1. Example of Delete Utility


Best Data Practices

 

So how do you protect yourself? How can you safely remove expired data? While reformatting the hard drive makes it harder to access files, this method is really just a more advanced way to obscure information that still remains on the computer. Data-wiping utilities that overwrite hard drives with random binary numbers may be more effective, but can be time consuming. As we discuss in the disposal of hardware article, the most effective method is to remove the hard drive take out the data disk and smash it pieces. This not only ensure the destruction of the data stored on the drive, but many report that the exercise is personally rewarding. (My feeble attempt at humor, but true.)

 

When you consult with clients, agree on an acceptable level of security when it comes to deleting data. Clients may look to you for your recommendation. It is not always necessary to physically destroy the disk when disposing of a system, but potentially wise. If you know the system is to be recycled and that someone may later use the hard disk, one of the DOD compliant data removal utilities should be ran against the drive. We have listed a few of these below.

 

Many companies find a safe harbor in relying on programs that meet the minimum Department of Defense (DoD) guidelines. For reference, visit the website for the National Industrial Security Program Operating Manual (publication DoD 5220-22-m) to download guidelines in PDF or RTF format. Or search for other sites to find a full or abbreviated version.

 

Programmes That Help You Erase Disk Drives

 

Reformatting software programs that comply with government accepted standards include

  • CHAOS Shredder
  • Active ERASER

More options can be found at shareware sites like Shareware Connection or Shareware.com.

 

Beyond DoD Standards

 

For some, these guidelines may not be stringent enough. Be prepared to encounter stricter guidelines for clients who deal in highly secretive data or are concerned about loss of intellectual property.

 

The Hardware Side of Deleting Data

 

In our article on disposing of sensitive data we discussed the potential dangers of discarding a computer system without making sure that all data remnants had been destroyed. As a consultant, I recommend to my clients that they dispose of the computer and the hard drives separately by removing the drive and physically destroying it.

 

Too many clients dump or store old technology not realizing the data security hazard or the ecological one. The EPA study's recent data shows that measured by weight, only 11% of electronic devices are being recycled in the sense of a recycler dismantling or refurbishing the equipment for extended use. Forty-five percent is disposed in landfills or by incineration, creating a potentially heavy ecological threat. The remaining 44% is stored or is sold informally or donated to a charity for reuse.

 

The sheer volume of PCs that are discarded improperly, or are stored and forgotten for later dispoal, is seen as a ecological time bomb. Several states are so concerned that specific legislation has been passed to regulate the destruction of computer and components.

 

Don't Trash - Recycle

 

Although some of your colleagues or clients may look on data deletion as a hassle, you can see it as a business opportunity. As a consultant, you can work with interested clients and advise them best practices in how to destroy and discard old equipment. You might even make a few dollars doing it.

 

Companies Gearing up to Help.

 

Several environmentally conscious companies, such as IBM, HP and Dell are helping the computer industry by taking trade-ins or offering buybacks. Some computer resellers are willing to pick up discarded equipment when installing new and properly recycling these. As you know, these types of services have been the norm for decades in other industries such as appliances and automobiles. In some cases these services are only offered to larger businesses, but consultants can offer these services to several smaller clients and take advantage of creating volume this way.

 

Finding the Right Partner


IBM in particular offers several excellent suggestions to help you determine if you have the right partner to recycle equipment and protect yourself. To be sure you are getting what you need from your partner, use the following questions:

  1. Does the program pay cash, or simply offer credit toward new purchases?
  2. Are there minimum quantity requirements?
  3. Is the cost of disposal balanced against the ever-changing market value of the equipment, which may mean that the sooner you upgrade the more value you recover?
  4. Does the program offer security services to prevent data from getting into the wrong hands?
  5. Does equipment destruction meet regulatory standards, and is documentation available to verify compliance?
  6. How quickly will you receive your money?
  7. How easy and convenient is the process?
  8. Does the program accept assets without market value?
  9. Who is responsible for packaging and transportation?

 

Rather than wait until computers and peripherals become utterly worthless, help your small business clients to create a plan in advance to recycle these devices. If there is a plan in place, they are more likely to act responsibly and make better business decisions. If they seem hesitant, check your state's regulatory guidelines, you may be helping the company avoid costly fines and fees. And when regulatory compliance turns into unexpected windfalls for future hardware purchases, learning to let go can become a pretty attractive proposition.

 

Legal Requirements and the Long Arm of the Law


Recent legislation at the municipal, state and provincial levels in the United States and Canada is now addressing issues related to data privacy and untreated computer waste. In many parts of North America, recycling computers is no longer a just a good idea, it's the law. Failure to properly dispose of sensitive information could result in fines and possibly legal action, not to mention being very embarrassing to you if your firm appears in the morning paper. On the federal level, bills such as the U.S. National Computer Recycling Act would require recycling and safe disposal of all old computer equipment nationwide.


While these new regulations are a boon to the environment and privacy, they may pose serious compliance problems for small businesses that are already stretched thin in their efforts to understand and abide by laws covering workplace safety, privacy, taxes, zoning requirements and long-standing environmental codes.

 

Avoiding Disposal Charges


Check to see if your clients have retained their purchase receipts. More recently, computer sales in many states include a computer disposal fee built as a required payment at time of purchase. Presenting that receipt at a recycling center can help you avoid charges.

 

The Final Decision


In the end, the decision is yours in how you deal with your own computer technology and how you decide to counsel clients. Several states currently require you to report to customers or clients if you believe any sensitive information has been leaked or stolen from your organization, and may hold you responsible if the leak can be traced back to you.

 

Parting Thoughts

 

  • Recycle Centers. In many areas of the country, you can now take obsolete IT equipment down to the local recycling center, along with old newspapers and magazines. However, some consultants take precautions before they let go of obsolete equipment as suggested following.
  • No Guarantees. Remember that recycling centers do not typically guarantee data security with paper documents, let alone computers and peripherals.
  • Encryption. For further protection, even when they believe they have truly removed sensitive data files, some consultants will encrypt the entire disk drive before letting go of the machine. Some of the best disk encryption utilities may be found at www.pgp.com and there are other sources of data encryption software and hardware.
  • Hammer and Tongs. Some consultants take a brute force approach, opening the case and physically destroying memory components.
  • No Dump and Run. It is illegal in most localities to simply throw technology in the trash. Such laws exist because of the potentially harmful components in most computer systems and other technology hardware. These hazards include poisonous heavy metals, such as lead, mercury, cadmium and beryllium.

 

"The Hard & Soft of Deleting Data, Parts 1 and 2," by Robert H. Spencer, PhD, Intuit ProConnection Newsletter, April 2008 (VII:4). © 2005 by Intuit Inc. Used by permission. All rights reserved. The Intuit ProConnection Newsletter is published monthly throughout the year to give accounting professionals the information and tools they need to succeed


Advertising | FAQ | Site Map | Terms of Use
This website is best viewed in Internet Explorer 6.0 and above with a resolution of 1024 x 768
© 2001 - 2009 Institute of Certified Public Accountants of Singapore | All Rights Reserved